Thema: Forensic Software diverses

[SiLæncer]

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

Keyword Search:

    A major upgrade from Solr 4 to Solr 8.6.3. Single user cases continue to use the embedded server.
    Multi-user clusters need to install a new Solr 8 server and can now create a Solr cloud with multiple servers.
    -- NOTE: Cases created with Autopsy 4.18 cannot be opened by previous versions of Autopsy. Autopsy 4.18 can open older cases though.
    -- See http://sleuthkit.org/autopsy/docs/user-docs/4.18.0/upgrade_solr8_page.html for more details.
    Improved text indexing speed by not doing language detection on unknown file formats and unallocated space.

Domain Discovery:

    Added details view to Domain Discovery to show what web-based artifacts are associated with the selected domain.
    Updated the Domain Discovery grouping and sorting by options.
    Added basic domain categorization for webmail-based domains.

Content Viewers:

    Built more specialized viewers for web-based artifacts.

Data Source Summary:

    Added a “Geolocations” tab that shows what cities the data source was near (based on geolocation data).
    Added a “Timeline” tab that shows counts of events from the last 30 days the data source was used.
    Added navigation buttons to jump from the summary view to the main Autopsy UI (for example to go to the map).

Ingest Modules:

    New YARA ingest module to flag files based on regular expression patterns.
    New “Android Analyzer (aLEAPP)” module based on aLEAPP. Previous “Android Analyzer” also still exists.
    Updated “iOS Analyzer (iLEAPP)” module to create more artifacts and work on disk images.
    Hash Database module will calculate SHA-256 hash in addition to MD5.
    Removed Interesting Item rule that flagged existence of Bitlocker (since it ships with Windows).
    Fixed a major bug in the PhotoRec module that could result in an incorrect file layout if the carved file spanned non-contiguous sectors.
    Fixed MBOX detection bug in Email module.

Reporting:

    Attachments from tagged messages are now included in a Portable Case.

Misc:

    Added support for Ext4 inline data and sparse blocks (via TSK fix).
    Updated PostgreSQL JDBC driver to support any recent version of PostgreSQL for multi-user cases and PostgreSQL Central Repository.
    Added personas to the summary viewer in CVT.
    Handling of bad characters in auto ingest manifest files.
    Assorted small bug fixes.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

Data Source Management:

    To make managing big cases easier, all data sources are now associated with a host that can be specified in the “Add Data Source” wizard.
    Hosts can be grouped by “person”, which is simply a name of the owner.
    The main tree viewer can be configured to group by person and host.

OS Accounts:

    Operating System (OS) accounts and realms are their own data types and no longer generic artifacts.
    OS Accounts are created for Windows accounts found in the registry. Domain-scoped realms are not fully detected yet.
    NTFS files are associated with OS Accounts by SID.
    The Recent Activity module associates artifacts with OS Accounts based on SID or path of database. Other modules still need to be updated.
    OS accounts appear in a dedicated sub-tree of the main tree view and their properties can be viewed in the results view.
    A new content viewer in the lower right area of the main window was built to display OS account data for the item selected in the results view.

Analysis Result and Data Artifacts

    All modules make either Analysis Results or Data Artifacts instead of “Blackboard Artifacts.”
    New “Analysis Result” content viewer shows the results for a given file and its score.
    The tabular results viewer shows an icon for the aggregate score of a file.
    The tree organizes results into "Analysis Results" and "Data Artifacts" instead of simply “Results.”

Discovery UI:

    Domain categorization and account types are displayed in Domain Discovery results.
    The Domain Discovery results view more explicitly shows when a downloaded file no longer exists.
    Check boxes are now used to select search options instead of shift-based multi-select.

Ingest Modules:

    File metadata updates are batched up before being saved to the case database for better performance.
    Parsing of iLEAPP and aLEAPP output was expanded to create communication relationships which can be displayed in the Communications UI.
    EML email parsing handles EML messages that are attachments (and have their own attachments).
    Domain categorization within Recent Activity can be customized by user-defined rules that can be imported and exported.
    Account IDs and Installed Applications are added to the Central Repository.
    Keyword search can be configured to only do OCR and skip non-OCR files.

Miscellaneous:

    A “Reset Windows” feature was created to help redock windows.
    A case-insensitive wordlist of all words in the keyword search index can be exported as a text document.
    Information from the Data Source Summary panels can be exported as an Excel spreadsheet.
    More artifacts are added to the timeline and artifacts with multiple time-based attributes are mapped to multiple timeline events.
    Added option to only perform optical character recognition on certain file types.
    Heap dumps can be saved to a custom location.
    More detailed error messages about encrypted disks when they are added.
    Added file size filter to Ingest Filters.

Performance:

    Keyword search does not make an explicit commit for each report if ingest is running.
    Language ID is performed on a small subset of a file instead of the entire file.
    Recent Activity is more efficient because of TSK changes to file searching (using extension).
    Embedded file extractor module has been made faster by doing file typing in memory and adding extracted files in batches.
    Moved Content Viewers setNode() and isSupported()/isPreferred() code to background threads.
    Moved Data Source Summary Panel population code to background threads.
    Moved Node/Tree queries to background threads.

Bug Fixes:

    Fixed embedded file extractor file name escaping bug.
    Detect VHD files by signature and not extension.
    Fixed iLEAPP path error.
    Content viewers UIs are more consistent.
    Assorted bug fixes are included.

Auto Ingest:

    The Auto Ingest Dashboard is resizable.
    Get thread dumps from AID
    Added beta pause feature that pauses auto ingest for a set amount of time at a scheduled date and time.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

       
    Map Viewer:

    Added Map Viewer module which enables users to view GPS locations marked on a world map.
    Added a new pre-set search option, “Photos with GPS Locations” to automatically find all photos with embedded GPS locations (via EXIF data) and then graphically locate where these photographs were taken on a map. On mouse over of the location on the map thumbnail images and image meta are displayed.
    Ability to import and map GPS coordinates from CSV, GPX and KML files and IP addresses, and search for GPS location by name (ie. Geocoding
    Added map email viewer integration, to draw arrows between the source and destination of an Email, plus any intermediate transit nodes referenced in Email header.

    Auto Triage:

    Removed some unnecessary warning messages (You are attempting a non-live…) displayed when running Auto Triage
    Updated the Passwords to select "Live acquisition" for scan when running Auto Triage.

    Boot VM:

    Updated to now allow booting for MacOS (10.13 and above)
    Now includes support for VMWare Workstation Player 16

    Clipboard Viewer and Signatures Module:

    Restructured UI for consistency and simplicity in OSForensics user experience

    Create / Search Index:

    Restructured UI for simplified user experience. This included convert to 'Sort' link, convert to 'Index' link, move 'Use Word List File' to button dropdown, and consolidated regex filter to search bar.
    Improved indexing of XML files to index not only data content, but also attribute values in tags. Combined with expanding the max word length to 40 characters, this now allow indexing of GUIDs values in XML files. This allows finding GUIDs in peer-2-peer file sharing files (e.g. Profiles.xml file from Shareaza)
    Added sub tabs under ‘Browse Index’. These include Words, Files and Protected lists.
    Added "Save to disk" checked items menu option
    Reporting of “protected” (or encrypted) files that were encountered and not indexed. Provides a quick way to identify all commonly encrypted document types.
    Fixed bug with "Search Index", when matching exact phrases only found in meta description
    Fixed crash bug for when page is near end of index
    Fixed bug with extra text appearing after highlighting when exact phrase matched in meta description
    Fixed timeline filter and other UI issues
    Fixed cleanup of previous state when closing case
    Fixed bug with email indexing causing corrupt index when long header or attachments are used as description in index
    Fixed crash bug when corrupt index is encountered during a search and cleanup occurs, and subsequent searches did not reload the index
    Added handling for partial index unloaded/reloading due to unexpected error cases (low memory, corrupt index, etc.)

    Disk Preparation:

    Fixed a bug stopping Disk 0 from being formatted

    Decrypt File:

    Password Benchmark (i.e. num password per second) is now calculated per thread. Previously only the first benchmark collected was used as the benchmark value for all clients.

    Deleted File Recovery:

    Restructured UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, reduce clutter at the bottom)
    Added ability to right click on an extension in the scan status tab to view the set of files.
    Added the Face and Nudity Scan feature to the sorting option
    FileCarver Config GUI changed the +/- icons to normal expand/collapse icons. Removed the Linux EXT2 option, FileCarver will try to determine the file system and enable it if necessary.
    Fixed display bug where scrolling to the right and then back, where the listview checkbox/extension column would be unreadable. Added note to expand the extension groups to view the header/footer/etc details for each extension family.
    Fixed a crash that could occur when no files where found

    Device Manager:

    Added support for per-volume encryption, as used in newer versions of Apple’s APFS file system.

    Email Viewer

    Added right-click option to lookup IP addresses in e-mail headers and then mark on Map Viewer.
    Added "Overview" button to view email address statistics in email viewer. Can now get a quick count of Emails To / From each Email address.
    OSForensics will attempt to convert X.400/X.500 e-mail addresses by parsing the MIME headers if available
    Added support for indexing EMLX files from Apple Mail
    Fix overflow with long To/Cc/Bcc strings in mbox and dbx files. Fix missing single address summary icon. Add Top 10 contacts filter to sankey graph. Combine sankey graph and summary table when added to case

    Event Log Viewer:

    Added OSF generated event information as a summary string in quotation marks when viewing items in the event log viewer (for eg “Disconnected USB device "TOSHIBA External USB 3.0 " , Serial Number: XXX").

    File Name Search:

    Optimizations for improved scan speed and performance, especially when using the direct access mode (also called forensics mode).
    Reorganized UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, move configuration text to tooltip for 'Config' link)
    Dynamically populate map view as files with GPS locations are found, and display image thumbnail (and file metadata) on mouseover of location while in map view
    Fix stack overflow crash due to large local string variables
    Changed search preset name ‘Windows Shortcut Files’ to ‘LNK Files’
    Updated the P2P pre-sets to include UseNet related keywords

    Hash Sets and Create Hash:

    Grouped the two modules into one main hashing module (File Hashing) with two tabs (Hash Sets & Create Hash).
    Added SHA3 (256, 512) as hash options

    Internal Viewer:

    Re-implemented thumbnails using global thumbnail cache for better performance. Increased number of thumbnails in lower bar to fill window width and added support for video thumbnails.
    Jump to file when double clicking thumbnail
    Add extracting of embedded thumbnails in image file within the 'Analyze' dialog. This can help with checking for image manipulation.
    When a file is fragmented on disk, viewer can display list of file fragments + right-click option to jump to fragment
    Improved drawing performance and navigation buttons.
    Hex view, add 'Export strings...' link to string extractor
    Initial support for viewing PDF files using native API in Win10. This allows faster more accurate PDF rendering in viewer.
    Display Office Documents (docx, xlsx, pptx, etc) and OpenDocument (odt, odp, odx) files as HTML.
    When analyzing images, add right-click menu options to embedded thumbnails to 'View with internal viewer...' and 'Add to Case'

    Mismatch Search:

    Restructured UI for consistency and simplicity.
    Fix bug with 0 byte files not being excluded from results

    Password Recovery:

    Restructured UI for consistency and simplicity.
    Distributed password cracking with support for Multiple GPUs (Pro Only). Supports up to 1000 total clients when using distributed cracking
    Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords

    Program Artifacts:

    Restructured UI for consistency and simplicity.

    Raw Disk Viewer:

    Restructured UI for consistency and simplicity (move buttons to 'Actions' link, convert to 'Config' link, add search bar)

    System Information:

    Re-organized UI for simplicity and consistency (consolidate "Live acquisition" into combo box, convert into "command list" link).

    Thumbnail Viewer:

    Fixed drawing of images with alpha channel.

    Tag/Untag:

    Changed behaviour of Tagging Files. Keyboard Shortcut (Ctrl+T) applies to selected (not checked) files. The Checked Items Submenu will have options to Tag/Untag checked files by submenu selection only. This has been implemented in FileSystem Browser and Find Name Search.
    Ability to open some tagged items in the case manager, e.g. cookie tagged item. ‘Open internal viewer’ will open the SQLite database where cookie was stored.
    Items tagged in the User Activity modules will indicate they were added in this module in the Case Manager

    User Activity:

    Restructured UI for simplicity and consistency.
    Moved 'Remove filter' link to 'Activity Filters' drop down
    Added Anti-Forensics Artifacts to scan the traces of Anti-Forensics programs
    Search Terms, cut down on duplicate entries by using DISTINCT in SQL query
    Events, filtered out 4624 event when logon type is 5 (too many system generated events swamping others)
    Added Cryptocurrency Wallet Apps to scan artifacts of wallet applications installed on the system
    Fixed activity-specific right click menu options and enter/double click options
    Added support for parsing UseNet NZB files to display filename, file size, poster and time
    Added Newshosting UseNet client P2P artifacts
    Changed the tree-view “Most Recently Used” item to be collapsed by default
    Fixed crash with change to Autofill in Edge Chromium when data value in Sqlite DB is not encrypted.
    Added a 3 second display of message "User Activity Scan Finished - No items found" when no items are found
    Added more checks for cancelled scan when processing ESEDB databases so cancel will complete faster
    Added support to parse the BitTorrent .torrent file format to display its contents info like the filename, file size, and time
    Added scanning for WiFi passwords stored on the Windows system and display under the WLAN category
    Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
    Added support to collect details about recently viewed PDF files in Acrobat Reader and their file size and page numbers.
    Added an option in the config window to allow full scan of the selected drives, which will search Torrent and NZB files across the drives and parse them
    Added support to collect the VLC Media Player last opened filepath by parsing it's .ini file

    Start Menu:

    Added search bar to the start page to quickly find OSF features

    Workflow:

    Set Mount Drive Image button to be hidden by default in the Workflow menu. This was done as the Add Device function is preferable in nearly all cases

    Python API:

    Add methods for adding/removing device from case (including BitLocker and Volume Shadow devices)

    Remote Server:

    Fix bug in creating destination folders when source path is a network folder

    Security:

    Update EXIFTool to 12.25 due to ACE security vulnerability

[close]

http://www.osforensics.com/

[SiLæncer]

Whats new:>>

    Bug Fixes:

    Fixed connection leak associated with creating OS Accounts
    Decreased priority of OS Account Content Viewer
    Misc bound check fixes in TSK

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

       
    Auto Triage:

    Fixed bug with loading user-specified logical image file type settings from config file

    Case Manager:

    New right click option in the case list to open the containing folder (in Windows Explorer).

    Clipboard Viewer:

    Changed linking of WinRT libraries shcore library or Win7 compatibility

    Disk Image:

    Cleaned up the word wrapping on message box warning

    Email Viewer:

    Increased size of 'To' and 'Cc' fields. Enabled word wrapping.

    Filesystem Support:

    Fixed bug in FAT entry offset calculation due to using float type. This caused incorrect offset calculation on exFAT file systems

    File Name Search:

    Added status window for adding files/folders to logical image to improve responsiveness when adding a large number of items

    Internal Viewer:

    When viewing PDF files earlier than Win8, use text conversion instead of native PDF viewer
    Changed linking of WinRT shcore library for Win7 compatibility
    Changed linking of WinRT Windows.Data.Pdf.dll library for Win7 compatibility

    Logical Image:

    Fixed performance issues when adding/removing sources when there are large number of existing items

    Password Recovery:

    Changed linking of OpenCL.dll to delay for Win7/8 compatibility

    Python API:

    Updated youtube-dl to newest version
    Added new Python script template for recursing directories in a file system, ignoring specified extensions and subdirectories

    Start Window:

    Search bar now searches as text is entered.
    Changed search to ignore word order, allow results for (n-1) search terms if no results, return help file if no results.
    Prevent certain search inputs that could cause unintended behaviour.

    WebBrowser:

    Updated web browser module to use webview2. On systems that support it (i.e. have chromium edge installed), the webview2 browser will be used, for systems without, will use the old browser control.
    Change linking of GetDpiForWindow for Win7 compatibility
    GUI Navigation/Icons should be less blurry
    Removed Save Page/Add to Case button/option (it is not implemented/supported by Webview2)
    Fixed issue with resizing browser window below minimum size and buttons moving out of place.
    Export Page, fixed possible bug when downloading a file/video fails causing OSForensics to crash.
    Changed default capture area (camera button) to Whole Page.
    GUI Added visible note to users notifying them that right click options (Save As and possibly Print) on webpages are not working due to webview2 running in elevated permissions as required by OSF.

[close]

http://www.osforensics.com/

[SiLæncer]

BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

License: GPLv3

Whats new:>>

    Add "Clear Results" button (following #95).
    Bug fix - although a certain network interface was selected at the user interface, another network card was selected behind the scenes (following to #99, #100).
    Upgrade to SharpPcap 6.0.0 (better performance among other improvements).

https://github.com/odedshimon/BruteShark

[SiLæncer]

Changelog

       
Auto Triage

Support for saving compressed Case files (experimental)
Support for uploading Case files to FTP server (experimental)
Fixed UI mouseover issues

Case Manager

Support for importing compressed Case files (experimental)
Fixed a error that occurred when trying to create a case in a network path

Create / Search Index

Fix crash bug when indexing corrupted OLE files (OLE is used in old style XLS, DOC, PPT files)
Added export of "lastfailedindexcfg.zcfg" for debugging purposes when indexing fails
Fixed potential crash bug with buffer issues in indexer

Memory Viewer

When running from network drive, DirectIo driver copied to temporary directory before loading. This is required becuase device drivers aren't be loaded by Windows from network drives.
When saving memory dump to network location, saves to temporary location before moving to network path

Start Window Search

Fixed home/end keys in text input
Added more search results

User Activity

Fixed potential memory buffer overflow crash in function on Win XP
Fixed a crash that could occur when collecting SRUM artifacts on Windows 11

Misc

Fixed crash when running from network drive
Update OpenSSL library in use to 1.1.1L. Previous version in use was v1.0.2L. This fixes a couple of potential security issues in OpenSSL.
Updated help documentation for internal viewer, E-mail viewer, map viewer, file name search map view, updated screenshots

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

This version contains an implantation of new network model.
That data structure role is to store the current network state including all the extracted items.
Apart from the fact that this refactor improves the readability and structure of the code, thanks to this data structure different display components can share information while maintaining unconsciousness from each other (e.g the Network Map user control can now access DNS records if there are any).

Main Features:

    Network Map user control now have a control describes the node details: open ports, DNS records, sessions count.
    The exported files including a new file named "BruteShark Network Nodes Data.json" that holds all the nodes details (following issue #77).
    Better performance.

[close]

https://github.com/odedshimon/BruteShark

[SiLæncer]

Changelog

    This version contains few improvements and features:

    First, the network map had upgraded by adding additional fields that enables to get insights about domain users and the amount of data transferred from each point in the network:
    Sent data - The amount of data (bytes) sent by the host.
    Received data - The amount of data received (bytes) by the host.
    Domains - the domains that the host is a member of.
    Domain users - domain users that logged into the host.
    This fields will also appear at the "BruteShark Network Nodes Data.json" file that holds all the nodes details.

    Secondly, the BruteSharkDesktop installer file was upgraded:

    Allow to upgrade existing version of BruteSharkDesktop without the need to manually remove the old version.
    Set the license also at the installer prompt.

[close]

https://github.com/odedshimon/BruteShark